# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. net_screen = { plugin_version = "1.6" # 2007-04-03 - 1.2beta - KBB - Updated syntax and simplified parsing filter. # Added support for anti-spam and anti-virus log lines. # 2007-04-17 - 1.3beta - KBB - Added support for SurfControl entries. # 2007-04-23 - 1.3.1beta - KBB - Made separate field name for SurfControl categories. Fixed a bug # where a listed field could be picked up as a category. # 2007-09-13 - 1.3.1 - KBB - renumbered per new beta policy and changed name from beta_net_screen.cfg # 2008-02-18 - 1.4 - KBB - Fixed bug where v.message was accessed for unsupported lines. v.message is # now set to "(omitted)" in the case of a listed fields line. Time is now extracted from end of line # if present. Also deleted commented sections left after 1.2beta. # 2008-08-27 - 1.5 - KBB - Fixed bug introduced by previous change where v.message was set to # "(omitted)" even though it wasn't a listed fields line if it was a line that didn't match any of the # expected patterns. # 2009-12-28 - 1.6 - Benson Chung - Fixed bug of Admin user, source IP, port and management interface. # 2010-10-01 - 1.6 - MSG - Edited info lines. # The name of the log format log.format.format_label = "NetScreen Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" info.1.manfacturer = "Juniper Networks" info.1.device = "Netscreen-25" info.1.version.1 = "ns25" info.2.manfacturer = "Juniper Networks" info.2.device = "NetScreen-204" info.2.version = "ns204" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = " NetScreen device_id=" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { device_id = "" security_level = "" attack = "" message = "" category = "" content_category = "" start_time = "" duration = "" policy_id = "" service = "" protocol = "" direction = "" action = "" email = "" reason = "" virus = "" sent = "" rcvd = "" bytes = "" src.type = "host" dst = "" src_port = "" dst_port = "" src_zone = "" dst_zone = "" translated_ip = "" port = "" page.type = "page" icmp_type = "" interface = "" user = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, 'NetScreen device_id=([^ ]+) *([^:]+): *([^ ].*)$')) then ( set_collected_field('', 'device_id', $1); v.security_level = $2; v.message = $3; if (matches_regular_expression(v.message, '^The ([^ ]+ [^ ]+) ')) then ( set_collected_field('', 'category', $1); ); else if (matches_regular_expression(v.message, '^([^ =<:]+)[ <:]')) then ( set_collected_field('', 'category', $1); ); if (matches_regular_expression(v.security_level, '\\\\[([^]]+)\\\\](.+)')) then ( set_collected_field('', 'user', $1); set_collected_field('', 'security_level', $2); ); else ( set_collected_field('', 'security_level', v.security_level); ); # Extract date and time from end of line if present. #Jan 2 11:27:31 [10.26.4.31.11.11] exalted_egret: NetScreen device_id=exalted_egret [Root]system-emergency-00006: Teardrop attack! From 77.170.77.177 to 11.14.121.211, proto 6 (zone Untrust int ethernet1/2.97). Occurred 1 times. (2008-01-02 11:27:30) if (matches_regular_expression(v.message, '(.*) *\\\\(([0-9-]+) ([0-9:]+)\\\\)$')) then ( v.message = $1; set_collected_field('', 'date', $2); set_collected_field('', 'time', $3); ); # Extract Admin user name, source ip, port and management interface -by Benson Chung-2009/12/28. # [Root]system-warning-00519: Admin user "supervisor" logged in for Web(https) management (port 443) from 123.1.2.3:12345 (2009-04-09 11:13:28) if (matches_regular_expression(v.message, 'user \\"(.*)\\" logged in')) then ( set_collected_field('', 'user', $1); if (matches_regular_expression(v.message, 'port ([0-9]+)\\\\) from ([0-9.]+):([0-9]+)')) then ( set_collected_field('', 'dst_port', $1); set_collected_field('', 'src', $2); set_collected_field('', 'src_port', $3); ); ); #ns204: NetScreen device_id=ns204 [Root]system-warning-00547: AV: VIRUS FOUND: 200.200.30.10:4589->60.50.200.60:25 file _From1396.59810.send1_melma.com__Date1396.59810.send1_melma.com__SubjRe:_important_website_/_website.zip_/data.rtf___________________________________________________________________________ (2007-03-30 14:36:13) #ns204: NetScreen device_id=ns204 [Root]system-warning-00547: AV: VIRUS FOUND: 100.50.60.40:2194->80.100.30.100:80, http url: http://www.eicar.org/download/eicar_com.zip, file www.eicar.org/download/eicar_com.zip/eicar.com virus EICAR-Test-File. (2007-03-24 14:18:45) #ns204: NetScreen device_id=ns204 [Root]system-warning-00547: AV: VIRUS FOUND: 100.50.60.40:1586->40.70.30.100:62245, ftp filename: /products/eicar-file/eicar.com, file /products/eicar_file/eicar.com/ virus EICAR-Test-File. (2007-03-24 13:34:50) if (matches_regular_expression(v.message, '^AV: ([^:]+): ([0-9.]+):([0-9]+)->([0-9.]+):([0-9]+)(.*)$')) then ( set_collected_field('', 'action', $1); set_collected_field('', 'src', $2); set_collected_field('', 'src_port', $3); set_collected_field('', 'dst', $4); set_collected_field('', 'dst_port', $5); if (matches_regular_expression(v.message, '(ftp|http) (filename|url):')) then ( set_collected_field('', 'protocol', $1); ); if (matches_regular_expression(v.message, 'virus (.*) \\\\(')) then ( set_collected_field('', 'virus', $1); ); ); # if virus # Note: ^M is really a carat and an M, not ctrl-M. Unix syslog may convert it. Other syslogs? #ns204: NetScreen device_id=ns204 [Root]system-warning-00563: Anti-Spam: SPAM FOUND ! garbage_email_address@yahoo.co.jp(211.81.1.111) Tag email header reason: Match sbl server blacklist.^M . (2007-03-24 13:09:04) else if (contains(v.message, '!') and matches_regular_expression(v.message, '^Anti-Spam: ([^!]+) ! ]*)>?\\\\(([0-9.]+)\\\\) [^:]+reason: ([^.]+\.)')) then ( set_collected_field('', 'action', $1); set_collected_field('', 'email', $2); set_collected_field('', 'src', $3); set_collected_field('', 'reason', $4); ); # if spam #MTC: NetScreen device_id=MTC [Root]system-warning-00556: UF-MGR: URL BLOCKED: 192.168.10.153(3193)->64.12.185.119(80), Your page aim-charts.pf.aol.com / is blocked due to a security policy that prohibits access to category Chat action: BLOCK, category: Chat, reason: BY_PRE_DEFINED (2007-04-13 10:41:31) #MTC: NetScreen device_id=MTC [Root]system-warning-00556: UF-MGR: URL BLOCKED: 192.168.15.175(4352)->208.45.133.152(80), Your page docs1.iwon.com /iw3_uni3.js is blocked due to a security policy that prohibits access to category Hacking action: BLOCK, category: Hacking, reason: BY_PRE_DEFINED (2007-04-13 10:42:11) else if (matches_regular_expression(v.message, '^UF-MGR: ([^:]+): ([0-9.]+)\\\\(([0-9]+)\\\\)->([0-9.]+)\\\\(([0-9]+)\\\\), Your page ([^ ]+) ([^ ]+) is [^:]+ action: ([^,]+), category: ([^,]+), reason: ([^ ]+) ')) then ( v.action = $1; if (!contains(v.action, $8)) then ( v.action = $8; ); set_collected_field('', 'action', v.action); set_collected_field('', 'src', $2); set_collected_field('', 'src_port', $3); set_collected_field('', 'dst', $4); set_collected_field('', 'dst_port', $5); set_collected_field('', 'page', $6 . $7); set_collected_field('', 'content_category', $9); set_collected_field('', 'reason', $10); ); # if SurfControl #ns25: NetScreen device_id=ns25 [Root]system-emergency-00006: Teardrop attack! From 131.134.88.8 to 65.136.140.150, proto 50 (zone Untrust, int ethernet3). Occurred 1 times. (2005-08-17 07:51:37)<000> #ns25: NetScreen device_id=ns25 [Root]system-alert-00016: Port scan! From 65.62.243.217:80 to 66.136.140.150:13505, proto TCP (zone Untrust, int ethernet3). Occurred 1 times. (2005-08-24 21:36:44)<000> else if (contains(v.message, '!') and matches_regular_expression(v.message, '^([^!]+)! From ([0-9.]+):*([0-9]*) to ([0-9.]+):*([0-9]*), proto ([^ ]+) \\\\(zone ([^)]+)\\\\).')) then ( set_collected_field('', 'attack', $1); set_collected_field('', 'src', $2); set_collected_field('', 'src_port', $3); set_collected_field('', 'dst', $4); set_collected_field('', 'dst_port', $5); set_collected_field('', 'protocol', $6); set_collected_field('', 'src_zone', $7); ) # if attack #Dec 31 16:58:52 [10.26.1.11.11.54] lowly_lizard: NetScreen device_id=lowly_lizard [Root]system-notification-00257(traffic): start_time="2007-12-31 16:58:52" duration=0 policy_id=54 service=udp/port:370 proto=17 src zone=Trust dst zone=Untrust action=Deny sent=0 rcvd=0 src=10.6.16.66 dst=66.215.245.166 src_port=9370 dst_port=370 session_id=0 else ( v.message = replace_first(v.message, 'src zone=', 'src_zone='); v.message = replace_first(v.message, 'dst zone=', 'dst_zone='); v.message = replace_first(v.message, 'translated ip=', 'translated_ip='); v.message = replace_first(v.message, 'src-xlated ip=', 'translated_ip='); v.message = replace_first(v.message, 'icmp type=', 'icmp_type='); if (matches_regular_expression(v.message, '[^=]+=[^ ]+ [^=]+=')) then ( collect_listed_fields('', v.message, ' ', '=', 'proto=protocol'); if (matches_regular_expression(get_collected_field('', 'start_time'), '([0-9]+-[0-9]+-[0-9]+) ([0-9]+:[0-9]+:[0-9]+)')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); v.message = '(omitted)'; ); ); # if listed fields # Clean up message field; remove milliseconds and timestamp so it aggregates better #v.message = get_collected_field('', 'message'); # not collected above any more if (contains(v.message, ' ms.') and matches_regular_expression(v.message, '^(.* )[0-9-]+( ms\..*)$')) then ( v.message = $1 . '(omitted)' . $2; ); if (matches_regular_expression(v.message, '^(.*)\\\\([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\\\\)(.*)$')) then ( v.message = $1 . '(omitted)' . $2; ); set_collected_field('', 'message', v.message); accept_collected_entry('', false); ); ` # Database fields database.fields = { device_id = "" # start_time = "" service = "" policy_id = "" protocol = "" security_level = "" attack = "" message = "" category = "" content_category = "" action = "" email = "" reason = "" virus = "" src = "" dst = "" src_port = "" dst_port = "" src_zone = "" dst_zone = "" page = "" translated_ip = "" port = "" icmp_type = "" user = "" location = { suppress_bottom = 3 } # location } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events rcvd = { type = "float" display_format_type = "bandwidth" } # rcvd sent = { type = "float" display_format_type = "bandwidth" } # sent bytes = { requires_log_field = false type = "float" display_format_type = "bandwidth" } # bytes duration = { type = "float" display_format_type = "duration_compact" } # duration } # database.numerical_fields log.filters = { calc_total_bandwidth = { label = "$lang_stats.field_labels.bytes" comment = "$lang_stats.field_labels.bytes" value = "bytes = 0.0 + sent + rcvd;" position = "0" } # calc_total_bandwidth mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' position = "1" } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # net_screen